From nobody Tue Jun 16 05:22:18 2026 Received: from mail-qk1-f174.google.com (mail-qk1-f174.google.com [209.85.222.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 23E481E9919 for ; Thu, 16 Apr 2026 13:43:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776347000; cv=none; b=oqSyVH1z3sg1P2kV7QHlSQ5hSJsZgi20QcucQho6q0HMyO9zUgl6ruCH3Fe4YuL0+akg7vDl55nihD59Ls81F+qseJ+dnBoSrELCz0a4aimvUDhBsmFu1t1qkdTb/RgmrmqVcalVoT90CO6J8bZ7PRIJx9Qgcl/mB16xFwbmo1Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776347000; c=relaxed/simple; bh=pmr33UPV80r3AimG84BDA6JGI5flGSsHOl9kycOo5uI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=CSyD41M3N6EUPzOSIrNVfeXBuw6qqd3NKUTjXVg1Hcb1oCnN/Zyz7wGJk+lULH34WUFN4SpvqiQarKryiIsJtup0jtTu/vi2bGOhkN9VKPwMmzQKoAuqnrDrplple0Nx5c+PwGC1xU42gi48b5k5Dnze7GnpYgEgrpSui0tXuKE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=u.northwestern.edu; spf=pass smtp.mailfrom=u.northwestern.edu; dkim=pass (2048-bit key) header.d=u-northwestern-edu.20251104.gappssmtp.com header.i=@u-northwestern-edu.20251104.gappssmtp.com header.b=t9hn3Fx3; arc=none smtp.client-ip=209.85.222.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=u.northwestern.edu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=u.northwestern.edu Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=u-northwestern-edu.20251104.gappssmtp.com header.i=@u-northwestern-edu.20251104.gappssmtp.com header.b="t9hn3Fx3" Received: by mail-qk1-f174.google.com with SMTP id af79cd13be357-8c70b5594f4so80647785a.1 for ; Thu, 16 Apr 2026 06:43:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=u-northwestern-edu.20251104.gappssmtp.com; s=20251104; t=1776346998; x=1776951798; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=faRnu299rc8RbF72AIXkrSjnL+KG7jYZt+i3QwegYds=; b=t9hn3Fx3Fgzqb/5ccntaUy84QwXON1+sY9NPGoeRoo3Zwk0LmsM9yAcgTohgdSNMJc 8DoqsA17tXaDW9tDkbMOKojkbmMrpOwVhb/faxOuAeLeuj+vhoqez+2040FFbhUGzSxq ROUnUo/dvWeOLCY37lZPe+ZRWy2seORUWS6tUM/2Wk5pzBBKT2ptbdPBM5O6Il19ErDy HFpwG152QOQqEAoZnNSGTy34FlhYH5mdbYbbUIn1z0DTLRlARhty4Qx7Y4kGz6eYhI/8 jdXEYmeb0ocsHUcDst8KgTlZ6HYjYrBBMARhNMAOrnRmhsjuqB6nZLL/qi6S1MFmEEf3 kLxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776346998; x=1776951798; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=faRnu299rc8RbF72AIXkrSjnL+KG7jYZt+i3QwegYds=; b=DM9Y9GikBTSro8CwxKIDhEt80cAhqsCI8LzXtVEIBWCScAHRlQ2DNjpgiEOcfHjFNH 85upwXlil9dk+2T8XJwLZh/ElqoLKYjWZXmAg0HYsmniQLU70UY96WXBtofPJhKBOx7k hLGtH0NG/0oMYaWEWuu1jhJ4jOJ5NW14iO83ENNScXESLUFSjCC6fUWITeR+dpH9jPcQ 4fBvPM7aB0rZflonir2olw80YXvEo9GripCPP6WyQU2uCqmIMiDLkyVFOHmz8XWN2M62 SrccdM6yRdFdBGLoymMElAH892986/k8y7mMVbs9KB6eE+C3Xh6Xy9PaDMRP6HXtfT1Q 5Syw== X-Forwarded-Encrypted: i=1; AFNElJ9n3f94imRlLAgMMKrzMDzHwNcZCSJa+PEuOTrmDcX+SkSRBBrReTlxpmm/M3NSVrfy8Az3+TdFksaqkZA=@vger.kernel.org X-Gm-Message-State: AOJu0YwNkH8v8oGq2Z8pno9vWNCEeoW1hwSU3zjNFgoGB0u/ovbL2IDi stC0oVtZX9xsNfCc6sNQ9ogym8D83AZG734GPSHhJWFlSLKVy68GaBMt1/Z5xA+O0es= X-Gm-Gg: AeBDieutNfrUd8Yw7rlSzDTPrbUzXhHOiXAFelcARzF7dRgGZrpHqRa6OPztzKiM1qn nYZAMBTfd+4GP5oVPJECK4habyCra3CebPfXjehCY0dZJs/scooVSBYH+inAovXVnIWdqyd1u2J JRm0FgqnyVqLSCqkbr/sd9rqPRWVtO0OpTlCeYY626+rkuVHQO3X6ENMGrjJH1d454mY9QoqdYM MT+RLLdG6gQs46hglNCY0RBnOEqpep0sNo+VG166YVRwvycTy0Q32MZEd9HdWdYemC/+9L8z8WK UTqwM+pclesOQgUpjk1VoTXwFbS7LjXxpzbJ0JiHg6RPcI482PKLK8u65clmnlA6w2hlaK52oz3 BKt9vkoo+eIGOndMplwQZVH2RXgN3B3Ujpo66M9QUVGStc9zWWnpwQCsCg3pI/B3vIJlLalRIw9 KcHqrDfsd2DXJZU6YXHsRz8hZ8ocWuAfL4WPooB5Alyz+pJH9doazt9TdOVfKlT0qvSvaLy2UU/ 2JaMUJirR792Swy78AeHOE= X-Received: by 2002:a05:620a:2682:b0:8d5:8815:ffc6 with SMTP id af79cd13be357-8e689142d78mr201792685a.13.1776346998019; Thu, 16 Apr 2026 06:43:18 -0700 (PDT) Received: from conor-Inspiron-3020-S.mynetworksettings.com ([2600:4040:44b8:3600:d171:db71:e260:ff8d]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8e4ef33bc4csm363886485a.12.2026.04.16.06.43.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Apr 2026 06:43:17 -0700 (PDT) From: Conor Kotwasinski To: Greg Kroah-Hartman , Tejun Heo Cc: Sebastian Andrzej Siewior , driver-core@lists.linux.dev, linux-kernel@vger.kernel.org, Conor Kotwasinski , syzbot+0dfe499ea713e0a15bec@syzkaller.appspotmail.com Subject: [PATCH] kernfs: fix suspicious RCU usage in kernfs_put() Date: Thu, 16 Apr 2026 09:43:15 -0400 Message-ID: <20260416134315.1474726-1-conorkotwasinski2024@u.northwestern.edu> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Commit 741c10b096bc ("kernfs: Use RCU to access kernfs_node::name.") converted the WARN_ONCE() in kernfs_put() to read kn->name and parent->name via rcu_dereference(), but kernfs_put() has callers that hold neither kernfs_rwsem nor the RCU read lock. The inode eviction path driven by memory reclaim is one such case: kernfs_put+0x53/0x60 fs/kernfs/dir.c:602 evict+0x3c2/0xad0 fs/inode.c:846 iput_final fs/inode.c:1966 [inline] iput.part.0+0x605/0xf50 fs/inode.c:2015 iput+0x35/0x40 fs/inode.c:1981 dentry_unlink_inode+0x2a1/0x490 fs/dcache.c:467 __dentry_kill+0x1d0/0x600 fs/dcache.c:670 shrink_dentry_list+0x180/0x5e0 fs/dcache.c:1174 prune_dcache_sb+0xea/0x150 fs/dcache.c:1256 super_cache_scan+0x328/0x550 fs/super.c:223 ... kswapd+0x556/0xba0 mm/vmscan.c:7343 lockdep complains with "suspicious RCU usage" whenever the WARN fires from such a context. Wrap the rcu_dereference() calls in an RCU read-side critical section. Gate on the active-ref check so the lock is only taken when the WARN is about to fire. Note that this does not address the underlying imbalance in kn->active that triggers the WARN. Fixes: 741c10b096bc ("kernfs: Use RCU to access kernfs_node::name.") Reported-by: syzbot+0dfe499ea713e0a15bec@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D0dfe499ea713e0a15bec Signed-off-by: Conor Kotwasinski Acked-by: Tejun Heo --- fs/kernfs/dir.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c index 4f9ade82b08a..e88b71607f1e 100644 --- a/fs/kernfs/dir.c +++ b/fs/kernfs/dir.c @@ -597,10 +597,13 @@ void kernfs_put(struct kernfs_node *kn) */ parent =3D kernfs_parent(kn); =20 - WARN_ONCE(atomic_read(&kn->active) !=3D KN_DEACTIVATED_BIAS, - "kernfs_put: %s/%s: released with incorrect active_ref %d\n", - parent ? rcu_dereference(parent->name) : "", - rcu_dereference(kn->name), atomic_read(&kn->active)); + if (atomic_read(&kn->active) !=3D KN_DEACTIVATED_BIAS) { + guard(rcu)(); + WARN_ONCE(1, + "kernfs_put: %s/%s: released with incorrect active_ref %d\n", + parent ? rcu_dereference(parent->name) : "", + rcu_dereference(kn->name), atomic_read(&kn->active)); + } =20 if (kernfs_type(kn) =3D=3D KERNFS_LINK) kernfs_put(kn->symlink.target_kn); --=20 2.53.0